Generate and maintain DKIM-keys for domains on your setup. This setup relies on the same structure as for dnssec-signer
Please see the dnssec-signer
-tool, as this is very similar.
This is a basic configuration that can easily be adapted to suit a standard setup
Please read them carefully, and read up on OpenDKIM before you continue, so you understand whats going on. This isn't a tutorial.
# Comments remove, read file you got when installing opendkim
# Log to syslog
Syslog yes
# For debugging purpose
# LogWhy true
UMask 002
UserID opendkim
# Map domains in From addresses to keys used to sign messages
SigningTable refile:/etc/opendkim/signing.table
KeyTable /etc/opendkim/key.table
# Host to ignore when verifying signatures
ExternalIgnoreList /etc/opendkim/trusted.hosts
InternalHosts /etc/opendkim/trusted.hosts
# Commonly-used options;
Canonicalization relaxed/simple
Mode sv
SubDomains yes
AutoRestart yes
AutoRestartRate 10/1M
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
OversignHeaders From
*@domain.tld domain.tld
*@domain2.tld domain2.tld
domain.tld domain.tld:DDMMYY:/etc/opendkim/keys/domain.tld/DDMMYY.private
domain2.tld domain2.tld:DDMMYY:/etc/opendkim/keys/domain2.tld/DDMMYY.private
127.0.0.1
::1
localhost
domain.tld
mail.domain.tld
Possibly add more domains here, if you are sending through multiple hosts. For my case, every domain sends through mail.domain.tld
.